Microsoft Issues Producer Upgrade to Plug Security Vulnerability

Microsoft upgrades its Producer add-in to block the possibility of a buffer overflow vulnerability being exploited. The company patched the security vulnerability in Microsoft Movie Maker in March, but neglected to update Producer at the time.

Microsoft has released a new
version of its Producer add-in component to fix a vulnerability previously
left unpatched.
In March, Microsoft issued a patch
for a buffer overflow vulnerability in Microsoft Movie Maker that also affected
users of Producer, which is a free, downloadable tool for Office PowerPoint
2002 and 2003 designed to make it easier for users to synchronize audio, video
and images to create presentations.

At the time, Microsoft chose not to update Producer to address the issue
because the product does not offer a means for an automatic update.

"Based on our investigation, we determined that the best way to protect
the vast majority of customers was to release an update addressing the
components that shipped with Windows," blogged Jerry Bryant, senior
security communications manager lead for Microsoft's Security
Response Center.
The May 3 upgrade is meant to plug the security hole, which could
potentially be exploited to allow an attacker to run arbitrary code with the
rights of the logged-on user. So far, Microsoft has not observed any attacks
targeting the vulnerability.
"In addition, Microsoft fixed installation switches for the Movie Maker
2.6 on Windows Vista and Windows 7 patches," said Jason Miller, data and
security team manager for Shavlik Technologies. "If you have already
applied these patches to your systems, you will not need to reapply the
patches."
Those who do not want to upgrade can apply the workaround available as a Microsoft FixIt.
"The FixIt removes the file association from the application to prevent
files from being opened in Producer when you double-click on them," Microsoft
said. "Users who apply the FixIt can still open their projects by first
launching Producer and then opening the file from within the application."